Krebs on Security

In-depth security news and investigation

Home Depot Hit By Same Malware as Target

The apparent credit and debit card breach uncovered last week at Home Depot was aided in part by a new variant of the malicious software program that stole card account data from cash registers at Target last December, according to sources close to the investigation.

Photo: Nicholas Eckhart

On Tuesday, KrebsOnSecurity broke the news that Home Depot was working with law enforcement to investigate “unusual activity” after multiple banks said they’d traced a pattern of card fraud back to debit and credit cards that had all been used at Home Depot locations since May of this year.

A source close to the investigation told this author that an analysis revealed at least some of Home Depot’s store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.

The information on the malware adds another indicator that those responsible for the as-yet unconfirmed breach at Home Depot also were involved in the December 2013 attack on Target that exposed 40 million customer debit and credit card accounts. BlackPOS also was found on point-of-sale systems at Target last year. What’s more, cards apparently stolen from Home Depot shoppers first turned up for sale on Rescator[dot]cc, the same underground cybercrime shop that sold millions of cards stolen in the Target attack.

Clues buried within this newer version of BlackPOS support the theory put forth by multiple banks that the Home Depot breach may involve compromised store transactions going back at least several months. In addition, the cybercrime shop Rescator over the past few days pushed out nine more large batches of stolen cards onto his shop, all under the same “American Sanctions” label assigned to the first two batches of cards that originally tipped off banks to a pattern of card fraud that traced back to Home Depot. Likewise, the cards lifted from Target were sold in several dozen batches released over a period of three months on Rescator’s shop.

The cybercrime shop Rescator[dot]cc pushed out nine new batches of cards from the same “American Sanctions” base of cards that banks traced back to Home Depot.

POWERFUL ENEMIES

The tip from a source about BlackPOS infections found at Home Depot comes amid reports from several security firms about the discovery of a new version of BlackPOS. On Aug. 29, Trend Micro published a blog post stating that it had identified a brand new variant of BlackPOS in the wild that was targeting retail accounts. Trend said the updated version, which it first spotted on Aug. 22, sports a few notable new features, including an enhanced capability to capture card data from the physical memory of infected point-of-sale devices. Trend said the new version also has a feature that disguises the malware as a component of the antivirus product running on the system.

Contents of the new BlackPOS component responsible for exfiltrating stolen cards from the network. Source: Trend Micro.

Trend notes that the new BlackPOS variant uses a similar method to offload stolen card data as the version used in the attack on Target.

“In one the biggest data breach[es] we’ve seen in 2013, the cybercriminals behind it offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP,” wrote Trend’s Rhena Inocencio. “We surmise that this new BlackPOS malware uses the same exfiltration tactic.”

An Internet search on the unique malware “hash” signature noted in Trend’s malware writeup indicates that the new BlackPOS verison was created on June 22, 2014, and that as late as Aug. 15, 2014 only one of more than two-dozen anti-malware tools (McAfee) detected it as malicious.

ANTI-AMERICAN MALWARE

Other clues in the new BlackPOS malware variant further suggest a link between the cybercrooks behind the apparent breach at Home Depot and the hackers who hit Target. The new BlackPOS variant includes several interesting text strings. Among those are five links to Web sites featuring content about America’s role in foreign conflicts, particularly in Libya and Ukraine.

One of the images linked to in the guts of the BlackPOS code.

Three of the links point to news, editorial articles and cartoons that accuse the United States of fomenting war and unrest in the name of Democracy in Ukraine, Syria, Egypt and Libya. One of the images shows four Molotov cocktails with the flags of those four nations on the bottles, next to a box of matches festooned with the American flag and match ready to strike. Another link leads to an image of the current armed conflict in Ukraine between Ukrainian forces and pro-Russian separatists.

As I discovered in my profile of Rescator, he and his crew seemed somewhat taken with the late despotic Libyan leader Muammar Gaddafi, although they prefer the phonetic spelling of his name. The Web site kaddafi[dot]hk was among four main carding shops run by Rescator’s crew (it has since been retired and merged with Rescator[dot]cc). The domain kaddafi[dot]me was set up to serve as an instant message Jabber server for cybercrooks, advertising its lack of logging and record keeping as a reason crooks should trust kaddafi[dot]me to handle their private online communications.

When I reached out to Rescator last December to obtain comment about my findings on his apparent role in the Target break-in, I received an instant message reply from the Jabber address “kaddafi@kaddafi[dot]me” (in that conversation, the person chatting with me from that address offered to pay me $10,000 if I did not run that story; I declined). But I also discovered that the kaddafi[dot]me domain was a blog of sorts that hosted some harsh and frankly chilling anti-American propaganda.

The entire three-part manifesto posted on the kaddafi[dot]me home page is no longer available, but a professionally translated snippet of this tirade reads:

“The movement of our Republic, the ideology of Lampeduza – is the opposition to Western countries, primarily targeting the restoration of the balance of forces in the world. After the collapse of the USSR, we have lost this fragile equilibrium face of the planet. We – the Senate and the top people of the Republic are not just fighting for survival and our place under the sun, we are driven by the idea! The idea, which is ​​living in all of us – to return all that was stolen and taken from our friendly countries grain by grain! We are fighting for a good cause! Hot blood is flowing in us, in citizens, who want to change situation in the world. We do not bend to other people’s opinions and desires, and give an adequate response to the Western globalism. It is essential to be a fighter for justice!

Perhaps we would be living completely differently now, if there had not been the plan of Allen Dulles, and if America had not invested billions in the collapse of the USSR. We were deprived of a common homeland, but not deprived of unity, have found our borders, and are even closer to each other. We saw the obvious principles of capitalism, where man to a man is a wolf [[see here for more context on this metaphor]]. Together, we can do a lot to bring back all the things that we have been deprived of because of America! We will be heard!

Citizens of Lampeduza – “free painters” ready to create and live the idea for the good of the Motherland — let’s first bend them over, and then insert deeper!!!

This entry was posted on Sunday, September 7th, 2014 at 11:14 pm and is filed under A Little Sunshine, Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

“fter the collapse of the USSR, we have lost this fragile equilibrium face of the planet. We – the Senate and the top people of the Republic are not just fighting for survival and our place under the sun, we are driven by the idea! The idea, which is ​​living in all of us – to return all that was stolen and taken from our friendly countries grain by grain! ”

It seems that history has been forgotten, or selectively ignored by this young generation of zombies who cannot be satiated with the blood of their children. Revolution is the lie they tell themselves to steal the money from my mother.

That’s what they get for showing that stupid “barefootin” commercial over and over again. Cramming 5 different races into an unrealistic social scenario will result in your system getting hacked every time. Hopefully they will make realistic commercials in the future and prevent future attacks.

Oh propagandist, I admit freely, I am extremely racist.
While I am entirely for the human race, I deeply despise the rat race and dearly yearn for its extinction.

That said, people, individually and in large groups tend to remind me of the south end, of a northbound hose, beneath the tail, also referred to as the patoot or patootie.
Not to draw too fine a point on the matter.
But, to ensure that I’ve been overly excessive in my explanation of my opinion of some folk.

“SSL Labs scan is more revealing of the weakness in Home Depot’s IT security practice – 2 days after a major breach, the “secured” checkout server of Home Depot website failed a very basic, ancient PCI compliance test – SSL V2 and weak ciphers.”

Absolutely correct. When I perform vendor evaluations I first check out all of their public properties using a variety of methods: SSL Labs, robots.txt file, DNS zone transfers or not, mixed content or not, SSL on login pges, site: in Google, etc. It’s just the basics that can be done with third-party sites or clicking on their pages.

I’ve learned over the years that a company’s Internet cleanliness is similar to how someone keeps track of the exterior of their home. If the public-facing part of either is well-maintained, current and “clean”, then the inside is probably the same.

If they’re not afraid to be sloppy on the outside where anyone can see it, they’re probably worse on the inside.

We bounced a large potential vendor once because their public web site was a disaster. When I told their team that “they were a mess”, they were shocked. They tried to defend all of their bad practices, such as linking to their subcontractor sites that were worse than theirs, with “you won’t be using their site” and other such nonsense.

Apparently I don’t deal well with people who make excuses, particularly when it’s apparent from them that the defects were already known and being ignored.

One has to wonder about the competence of the NSAs spying capabilities, and the intelligence that oversees our national security. Keith Alexander offered his services to banks to prevent some of this hacking, so the NSA agency he over saw should have some capabilities. A congressman asserted Alexander should be investigated for selling national secrets for offering his services to banks. So preventing hacking is a national secret?

The best away to reduce these too-frequent hacks is through class action lawsuits. Perhaps then the profit equation will involve customer data security and the business concerns will pay for the talent and hardware necessary to do a better job at that.

Hey I am pretty sure I was hacked by the Home Depot scam scam. But luckly I was offered free credit monitoring by a company that tracks and shares my personal infomation with 3rd parties for marketing purposes. Wow, thanks. You stink Home Depot! Never again, you can join Target as a place I will never shop again.

Brian has already reported that too much card information available for sale has a downward effect on the sale price, so a smart criminal will avoid flooding the market with new card information. (Standard rules of supply and demand)

Credit card networks and banks can’t identify problems until cards are reported by customers as having been used inappropriately — at which point they do common point analysis. At this point, they’ll probably reach out to Brian…

The Anti virus vendors do analysis of samples, but they have a commercial interest in not disclosing impacted customers (without approval).

The Secret Service doesn’t generally comment on ongoing investigations.

Yeah man, I hear that ‘wait for it to be reported here ;-(‘ … yeah, I hear you. And sure, all those folks have all those reasons for doing what they do – those are good reasons. I mean, kinda. And I don’t begrudge any of those folks for their bounds they have to operate in. We all got our jobs to do. And good heavens, this site itself is really awesome itself for this support of security, so I guess I feel like saying I’m really grateful for it. This whole ‘not much else we can do’ thing … man … that just doesn’t cut it. That’s just not good enough. I don’t mean what you *said* isn’t good enough – I really appreciate it, actually – I like it. And hey, don’t get me wrong, I’m still going to go to the very few stores I need to go to, and if they were hacked I would totally support them in that. I guess I just feel that I shouldn’t be more informed about their security than they are, and if I walk in, I would wish they would say ‘whoa hey man, don’t swipe that there, we may have been hacked, do this.’ I would totally support that. Sure that would be nice in my fantasy world, but apparently HD was being hacked even earlier than Target was?!? I guess where my head goes is … if I had a store … and I learned about the Target thing … finding out if my place was also vulnerable & fixing it would’ve been number one on my list of things to do. Instead we have this scene that reminds me of what it’s like when the captain of the high school football team is rumored to have gotten an std. And you know what, there is some darned good advice for us individuals about how to handle and take care of our stuff, here. Darned good advice. And I love it. I’ll sure be following up on it. I guess all I’m saying is when we go from a case of one or two or five to maybe a thousand, the context has shifted. Sure there are things I can do, and thanks to you all and this place & others – I *will* do. There’s not much more I can do. There’s not much more folks here in this place can do. It’s so true. Though it seems to me, there’s much more *somebody* somewhere can do.

The bigger question in my mind, Michael, is with regard to Home Depot’s initial statement, paraphrased: “Bla bla, old news. We’ve been investigating this for two months.” I did not read it myself but saw it in several articles.

Then their release on this one says they started the investigation on Sept. 2nd, the same day of Brian’s story.

Ummm, wouldn’t that mean they had a previous breach they had not publicly disclosed and were totally unaware of this one? Or did they think they had cleaned up that one bub did not?

And the other non-statements seem to indicate that the breach is ongoing.

Man, I do not know! I don’t know. The rounds about what they might know, might’ve known, didn’t know, know now but didn’t know when … I don’t even know. Sure, I can freak out about Home Depot, I went there during the window of this threat. But what I want to know is from Meredith Belzak’s post on the twitter feed which leads here: https://www.pcisecuritystandards.org/news_events/statements.php to the August 27th post which clearly states “In a statement relased on 22 August by the United States Secret Service and Department of Homeland Security, a warning was issued that a Point of Sale (POS) malware dubbed “Backoff” may have infected systems in over 1,000 organizations and represents a very real threat …” which leads to the release from DHS here: https://www.documentcloud.org/documents/1279345-secret-service-malware-announcement.html … so. Sure, Target, Sally, PF Changs were hacked, etc. Apparently there *may* be more than 990 *more* than that! Sure, we can worry about what Home Depot knew when, and what, and all – and actually that makes a lot of sense. But right now, as a consumer, what I want to know is who are the other 900-some-odd organizations?!? Sure, I can check if I went to Home Depot. But now I need to check if I went to 900 MORE places than Home Depot. But I can’t, because I don’t know what they are! WTF?!?

Don’t sweat it unless you’re using a debit card. Unless identity theft is involved (and if you are using a credit card), it’s not a big deal.

The only safe way to have a debit card, IMHO, is to have two accounts, your primary without a debit card and a secondary with the debit card. Put your paycheck into the primary and transfer money into the secondary to keep the debit card funded as needed. That way if the debit card is stolen, you don’t lose all of you cash.

The interesting twist in the Home Depot event is how they put the store location data in with the payment card data. That raises the possibility of ID theft when coupled with other non-Home Depot data.

I work in the financial services industry. By the time those Secret Service and other notices become public, they’ve already been circulated behind the scenes to potentially affected companies to get the word out. I saw those at least a week before they went public.

I describe my job in IT security as simply “Learning from the mistakes of others before they happen to us.”

Very pertinent advice JJ thank you, I have read it in one other place and will definitely be taking action on that. *grumble* I really like this advice and how strategic it is, even though part of me grouses about it. Thank you. But I’m not Jennifer Lawrence, either.

Part of the root cause of the problem is, many companies consider information security as a cost center, rather than as a value multiplier.
Pretty much the first question raised when discussing security is, “how much will this cost”, rather than asking how the proposed plan enhances the value of the existing network and products of the company.
Part of that response is due to the cost involved in protective technologies, but part is due to presentation.
If one presents proposed protective measures, only presenting measures, one’s proposal is viewed as a cost.
If one presents proposed protective measures in a way that clearly shows value enhancement, such as saved man hours in recovery, savings in prevented breaches and enhancement of reputation and hence, value of one’s services, the view as a cost to bear is changed to one of an investment that will have a desirable return.

Is everyone so numb that they fail to see the underlying problem of the crap OS these retails cling to because their IT shop is packed full of Microsoft certified professionals with vested interest blinding management to ANY POSSIBLITY something else can do the job better! Yes there exists a full line Apple compatible retail and POS envrionments getting the job done at Apple and all it’s retail operation world wide and even kiosks in most mall common areas. Wake up people!

Windows is the only operating system which actually damages itself in normal operation. The accumulated damage is the arthritis which develops over time. So much so there is a thriving industry of tools to clean up the wreckage and restore some reasonable performance.

The chief offender being the registry which Microsoft has elected to retain as a fully functional part of ALL windows products including current ones. Once you get to the registry you have them by the gonads. If you get into the SYSVOL on a network, GAME OVER! Once the SYSVOL has been gotten to the entire Active Directrory network is compromised and it is impossible to get it out short of wiping the entire network HDD and rebuilding.

Adding to the fragility of Windows are DLL, drivers, ini, inf, cpp, the browser and it’s add in, activeX, BIOS and application macros.

Between Windows damaging itself and all there avenues by which bad things can get to it, you are forced to purchase tools to clean up the messes. Then share CPU capacity and memory with an obligatory anti virus nanny. Resources in my view are stolen from my use on a machine I paid for. So I have to pay for more machine resource to be given over for the sole purpose of managing Microsoft sloppiness.

Windows and all it’s predecessors was conceived not as a safe and robust OS but as QDOS (Quick and Dirty Operating System) by Seattle Computer Products. The naive mentality was “don’t say no to anything anyone asks it to do.” Never imagining folks with bad intentions would ever want to do anything unethical or even illegal with that mentality.

I am fed up with this entire mess of constant monthly fixes, updates and patches and refuse to keep fighting with Microsoft and it’s rubbish products eating up my time having to deal with junk. I enjoy my Apple OS experience, because it is an experience where I turn it on and it does what I want it to do. No fuss no muss no histrionics no struggles no wasted time fighting with the environment. And I get to use ALL the machine I paid for!

Mark, that was a most fascinating tirade against Microsoft and for crApple I have ever heard!
First, Apple isn’t bulletproof, it’s just not as popular as Microsoft is, hence is targeted a bit less.
OS X is far from being secure by nature, it’s a brain damaged version of *BSD.

As for Microsoft’s security of previous products, I agree, M$ tended to be highly insecure in their code, implementation and practices in general. That *has* improved and has a bit more to go before it could be highly secure. I sincerely doubt Microsoft will ever manage to run the full rainbow series and acquire trusted operating system status. Apple will not manage that feat either.

Well good luck with that “job security”. Btw microsux is on 14% of devices and falling fast from its 99% of it monopoly years past. It is a relic of the legacy desktop era, and those to insecure to move on.

I never said http://en.m.wikipedia.org/wiki/Berkeley_Software_Distribution was perfect just an undisputably better petigree. Windows is just an inherently and fundamentally flawed creation. Would you buy something that you know will have to be taken in for recall repairs the very next month and ever month thereafter? Well you did if you bought into Windows.

And I don’t object to getting patches and fixes, it’s just getting a dozen or more a month, ever month even on an OS that’s over 10 years old for god sake.

And since you brought up M$ I would also mention the contant $$$ M$ continually extorts from it followers. Since shifting to Apple I have NEVER paid for an upgrade for anything. Not for a new OS release/upgrade, Pages (Word), Numbers (Excel), Keynote (PowerPoint) NOTHING! How many time has M$ reached into your pocket since Windows 95? Or do you do what most folks do, bootleg because it just costs to much $$$? Microsux needs to get with the program, the days of $100+ applications are over as is charging for the latest release/upgrade.

Have you ever tried to get support for Weeniebloze? They want $35 just to pick up the phone after going through their auto attendant hell. God forbid the person that picks up actually knows what to do instead of just reading out of a database. And if they don’t, forget getting transfered to someone who does. With Apple I make an appointment at the Apple Store, I go in and sit across from a person, the problem is sorted and they charge me EXACTLY ZERO!

As for Java unless you are actually running Java applications in Windows you can uninstall it. Java script in the web browser doesn’t use it and Apple no longer ships it installed and hasn’t for several years. My last Windows XP laptops never had it installed either and it got along just fine without it.

Adobe, well my Mac has had 2 updates this year. I feel your pain I had it on my XP laptop. However the Apple version required considerable modification and cleanup for Apple. Also the underlying OS wasn’t so full of holes and sloppy execution either.

If you look me up on the Internet, my current résumé is truncated. It doesn’t cover my 17 years in IBM R&D labs in Boca Raton staring in 1980 and Research Triangle Park NC. Yes I have met Billy and Steve, I was there the day DOS 1.0 was delivered. I have worked for Dave Bradley, and Philip Donald Estridge.

Mark, you missed the boat yet again.
OS X isn’t as *much* a target due to its small market share, hence it is less attractive to criminals.

As for ages, I went to school on the PC back when IBM employees, wearing their blue blazers, stood up at the beginning of class and sang the IBM anthem.
I still remember how to configure DOS for maximum memory, tricks to put drivers up in high memory, NT 3.51 and the vast improvement in NT4 over 3.1, 3.11 and 3.51.
I also have a copy of Windows 1.0 somewhere…

You seem to believe the 14% market share Microsoft now enjoys is the big attraction for criminals. Criminals like any predator go after what gets them something with minimum risk and effort. The deep fundamental flaws, vulnerabilities, weaknesses and overall ease of getting at Windows are so well known and easy to exploit that there are malware SDKs (software development kits) available for purchase and even rental to DIY your own malware. Any shmuck with a few bucks and minimal programing skills can screw with your precious Windows now. Couple that with people doing foolish things such as plugging their computer directly into the modem rather than a properly protected router behind the modem, hacked web sites, phishing email and you have a problem real quick.

Apple OS isn’t invulnerable, it’s just harder to get to because some effort has been made to make it that way. Not saying it can’t be gotten to because it can, but for criminals they go after the low hanging fruit easy mark of Windows. As I said earlier, like any predator would. Just rent a malware SDK for a few days and you are in business, or should I say someone else’s business.

I seem to recall the Target malware was attributed to one of the malware SDKs available on the Internet for purchase or rental.

There are all manner of SDK’s out there, for all manner of OS.
Attackers go for the majority market share first, the low hanging fruit second, the well protected systems last.
That router you plug into can be easily compromised, leaving an entry into your network. That router isn’t all that much to protect you to begin with, as UPNP can open holes into your network and many owners do open it up as far as imaginable for their various games, applications and even malware can open port forwarding.
True, it’s better than plugging directly into a cable modem, but it’s not a *real* firewall, regardless of what the manufacturers documentation says.

As for Microsoft, there has been a trend from highly insecure to competency. Microsoft has learned the hard way the prices born out of insecurity. Eventually, Microsoft might actually turn out a secure product.
But then, there has only been one trusted operating system.
Ever.
That is Trusted Solaris.
Something not highly usable, by today’s computing standards, but it’s *very* secure.

The trick is finding the balance between security and usability.
Something hard to find while Adobe sabotages one’s efforts.

Is it possible that it is safer to shop at a breached vendor after a breach?
Well, the saying is, “Anything is possible”. The real question is, has the corporate leadership culture changed?
Law enforcement can only investigate and arrest criminals, it cannot and does not change corporate practices or consult in corporate network security.

Notifications from law enforcement, financial institutions and other parties uncover over 99% of breach cases in which payment card data was stolen — and not the retailers themselves — according to the Verizon 2014 Data Breach Investigations Report.

Some Canadians are sanctimonious about having smart chip cards, but that won’t prevent online fraudulent purchases especially if crooks also snag card CVV security codes. I check my bank/card accounts almost every day.

One thing jumps out: they said the Card Verification Value may have been compromised. But they don’t say if it’s CVV1 or CVV2. I’m guessing they mean CVV1 because they also mention the service code and I think they are both Track 1 data.

So, how do we “reach out and touch them” if they’re in a foreign nation?
For that matter, even if they’re domestic, how do we do that?
For the former, doing anything rash would be an act of war and cooperation of some nations is rather lacking.
For the latter, we have laws we must follow, not to mention a Constitution. With things required, such as a jury of one’s peers and proving beyond a reasonable doubt. That takes time and a lot of evidence.

And when one of the criminals are citizens of said nations or worse, operators for said nations and we “reach out and touch them” on their own soil, how to we ignore the reaction to a blatant act of war?
For, that *is* what you suggest. An act of war.
Indeed, if a national of one of the nations you mentioned did plot and even execute a plot against another nation of that subset (actually, a lot larger, due to certain treaties, but it get unforgivably complex then), “reach out and touch” is against those treaties (and many others) and hence, is unlawful, courtesy of the US Constitution, which grants ratified treaties the status of “the law of the land”.
We are forced then to utilize the far more lawful process of police processes and extradition.

A strong suggestion: first, learn the US Constitution. I read it monthly, to remind me of what I was serving in rather primitive conditions. Secondly, remember the amendments are part of the Constitution, lest you make a fundamental error I’ve personally witnessed far too often in the past decade or so.
Finally, realize that the Constitution finds that ratified treaties are of the same force as federal law.
That said, I’ve found a few boneheads who think that a treaty can overrule the Constitution, that is not so. The Constitution gives authority, it can never lose authority save if it was specific to overrule the Constitution and was properly ratified as an amendment to the Constitution.
Which is as likely as an amendment making me King of the United States of America.
And no, I don’t want that job.
Franky, I’d prefer a job of securing information in an enterprise of a billion than POTUS.

BTW, it wasn’t *only* Obama that did what you said, multiple presidents did the very same thing. Do try to keep, both current and accurate.